Describe the issue:
We have internal user and ldaps auth/authc
We put logs from k8s directly to OS with filebeat 7.12.1 and internal user filbeat
But in log messages i have error
Cannot retrieve roles for User [name=filebeat, backend_roles=[develop], requestedTenant=null] from ldap due to OpenSearchSecurityException[OpenSearchSecurityException[No user filebeat found]]; nested: OpenSearchSecurityException[No user filebeat found];
org.opensearch.OpenSearchSecurityException: OpenSearchSecurityException[No user filebeat found]
Same trouble, when i try to apply terraform resources with internal user login/password
And there are a errors in log file
OpenSearch try to login in notexisting domain
Could not follow referral to ldaps://DomainDnsZones.domain.local/DC=DomainDnsZones,DC=domain,DC=local
org.ldaptive.provider.ConnectionException: javax.naming.CommunicationException: DomainDnsZones.domain.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: Hostname '[DomainDnsZones.domain.local]' does not match the hostname in the server's certificate 'CN=dc.domain.local']
---
_meta:
type: "config"
config_version: 2
config:
dynamic:
http:
anonymous_auth_enabled: true
xff:
enabled: false
internalProxies: '192\.168\.0\.10|192\.168\.0\.11' # regex pattern
#internalProxies: '.*' # trust all internal proxies, regex pattern
#remoteIpHeader: 'x-forwarded-for'
###### see https://docs.oracle.com/javase/7/docs/api/java/util/regex/Pattern.html for regex help
###### more information about XFF https://en.wikipedia.org/wiki/X-Forwarded-For
###### and here https://tools.ietf.org/html/rfc7239
###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve
authc:
basic_internal_auth_domain:
description: "Authenticate via HTTP Basic against internal users database"
http_enabled: true
transport_enabled: true
order: 0
http_authenticator:
type: basic
challenge: true
authentication_backend:
type: internal
ldaps:
description: "Authenticate via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
order: 4
http_authenticator:
type: basic
challenge: false
authentication_backend:
# LDAP authentication backend (authenticate users against a LDAP or Active Directory)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
pemtrustedcas_filepath: /etc/opensearch/domain_ca.pem
hosts:
- dc.domain.ru:636
bind_dn: 'CN=ldap_opensearch,OU=OpenSearch,OU=Special accounts,DC=domain,DC=local'
password: 'password'
userbase: 'DC=domain,DC=local'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(sAMAccountName={0})'
# Use this attribute from the user as username (if not set then DN is used)
username_attribute: 'sAMAccountName'
authz:
ldaps:
description: "Authorize via LDAP or Active Directory"
http_enabled: true
transport_enabled: false
authorization_backend:
# LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too)
type: ldap
config:
# enable ldaps
enable_ssl: true
# enable start tls, enable_ssl should be false
enable_start_tls: false
# send client certificate
enable_ssl_client_auth: false
# verify ldap hostname
verify_hostnames: true
pemtrustedcas_filepath: /etc/opensearch/domain_ca.pem
hosts:
- dc.domain.ru:636
bind_dn: 'CN=ldap_opensearch,OU=OpenSearch,OU=Special accounts,DC=domain,DC=local'
password: 'password'
rolebase: 'OU=OpenSearch,OU=Special accounts,DC=domain,DC=local'
# Filter to search for roles (currently in the whole subtree beneath rolebase)
# {0} is substituted with the DN of the user
# {1} is substituted with the username
# {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute
rolesearch: '(member={0})'
# Specify the name of the attribute which value should be substituted with {2} above
userroleattribute: null
# Roles as an attribute of the user entry
userrolename: 'memberOf'
#userrolename: memberOf
# The attribute in a role entry containing the name of that role, Default is "name".
# Can also be "dn" to use the full DN as rolename.
rolename: cn
# Resolve nested roles transitive (roles which are members of other roles and so on ...)
resolve_nested_roles: true
userbase: 'DC=domain,DC=local'
# Filter to search for users (currently in the whole subtree beneath userbase)
# {0} is substituted with the username
usersearch: '(uid={0})'